Re: I-D ACTION:draft-ietf-dnsext-ds-sha256-02.txt

[Andrew Sullivan <andrew@ca.afilias.info>]

On Wed, Dec 14, 2005 at 01:41:50PM -0500, Scott Rose wrote:
> I think there is a typo in Section 3, second paragraph:
> 
> "Validator implementations MUST, by default, ignore DS RRs containing SHA-1
> digests if DS RRs with SHA-256 digests are present in the DS RRset.  THis
> behavior SHOULD be the default."
> 
> Did the group decide on MUST, or SHOULD?

My understanding of the discussion was that we agreed that the
default needs to be SHA-256, but that this is ultimately a policy
decision, so operators need to have the ability to instead prefer
SHA-1 if they want.  Some of us were arguing that this entailed the
SHOULD formulation; at least one person argued that such a weakness
is too great, and wanted the MUST formulation.  Since this is just a
default setting requirement, I can't see that it makes any
difference, in light of the sentence following the "SHOULD be the
default":

   Validator implementations MAY provide configuration settings that
   allow network operators to specify preference policy when
   validating multiple DS records containing different digest types.

So I don't care which one we settle on, as long as the requirement
doesn't get any stronger such that it alters the ability for
operators to do something else, if they have to.

A

-- 
----
Andrew Sullivan                         204-4141 Yonge Street
Afilias Canada                        Toronto, Ontario Canada
<andrew@ca.afilias.info>                              M2P 2A8
                                        +1 416 646 3304 x4110


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>